OpenVPN
tls_crypt.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2016-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #include "argv.h"
31 #include "base64.h"
32 #include "crypto.h"
33 #include "platform.h"
34 #include "run_command.h"
35 #include "session_id.h"
36 #include "ssl.h"
37 
38 #include "tls_crypt.h"
39 
40 const char *tls_crypt_v2_cli_pem_name = "OpenVPN tls-crypt-v2 client key";
41 const char *tls_crypt_v2_srv_pem_name = "OpenVPN tls-crypt-v2 server key";
42 
44 static const uint8_t TLS_CRYPT_METADATA_TYPE_USER = 0x00;
46 static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01;
47 
48 static struct key_type
49 tls_crypt_kt(void)
50 {
51  return create_kt("AES-256-CTR", "SHA256", "tls-crypt");
52 }
53 
54 int
55 tls_crypt_buf_overhead(void)
56 {
57  return packet_id_size(true) + TLS_CRYPT_TAG_SIZE + TLS_CRYPT_BLOCK_SIZE;
58 }
59 
60 void
61 tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata,
62  const char *key_file, bool key_inline, bool tls_server)
63 {
64  const int key_direction = tls_server ?
65  KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
66  struct key_type kt = tls_crypt_kt();
67  if (!kt.cipher || !kt.digest)
68  {
69  msg(M_FATAL, "ERROR: --tls-crypt not supported");
70  }
71  crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
72  "Control Channel Encryption", "tls-crypt", keydata);
73 }
74 
78 static void
79 xor_key2(struct key2 *key, const struct key2 *other)
80 {
81  ASSERT(key->n == 2 && other->n == 2);
82  for (int k = 0; k < 2; k++)
83  {
84  for (int j = 0; j < MAX_CIPHER_KEY_LENGTH; j++)
85  {
86  key->keys[k].cipher[j] = key->keys[k].cipher[j] ^ other->keys[k].cipher[j];
87  }
88 
89  for (int j = 0; j < MAX_HMAC_KEY_LENGTH; j++)
90  {
91  key->keys[k].hmac[j] = key->keys[k].hmac[j] ^ other->keys[k].hmac[j];
92  }
93 
94  }
95 }
96 
97 bool
98 tls_session_generate_dynamic_tls_crypt_key(struct tls_multi *multi,
99  struct tls_session *session)
100 {
101  session->tls_wrap_reneg.opt = session->tls_wrap.opt;
102  session->tls_wrap_reneg.mode = TLS_WRAP_CRYPT;
103  session->tls_wrap_reneg.cleanup_key_ctx = true;
104  session->tls_wrap_reneg.work = alloc_buf(BUF_SIZE(&session->opt->frame));
105  session->tls_wrap_reneg.opt.pid_persist = NULL;
106 
107  packet_id_init(&session->tls_wrap_reneg.opt.packet_id,
108  session->opt->replay_window,
109  session->opt->replay_time,
110  "TLS_WRAP_RENEG", session->key_id);
111 
112 
113  struct key2 rengokeys;
114  if (!key_state_export_keying_material(session, EXPORT_DYNAMIC_TLS_CRYPT_LABEL,
115  strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL),
116  rengokeys.keys, sizeof(rengokeys.keys)))
117  {
118  return false;
119  }
120  rengokeys.n = 2;
121 
122  if (session->tls_wrap.mode == TLS_WRAP_CRYPT
123  || session->tls_wrap.mode == TLS_WRAP_AUTH)
124  {
125  xor_key2(&rengokeys, &session->tls_wrap.original_wrap_keydata);
126  }
127 
128  const int key_direction = session->opt->server ?
129  KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
130 
131  struct key_direction_state kds;
132  key_direction_state_init(&kds, key_direction);
133 
134  struct key_type kt = tls_crypt_kt();
135 
136  init_key_ctx_bi(&session->tls_wrap_reneg.opt.key_ctx_bi, &rengokeys, key_direction,
137  &kt, "dynamic tls-crypt");
138  secure_memzero(&rengokeys, sizeof(rengokeys));
139 
140  return true;
141 }
142 
143 
144 bool
145 tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
146  struct crypto_options *opt)
147 {
148  const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
149  struct gc_arena gc;
150 
151  /* IV, packet-ID and implicit IV required for this mode. */
152  ASSERT(ctx->cipher);
153  ASSERT(ctx->hmac);
154  ASSERT(packet_id_initialized(&opt->packet_id));
155  ASSERT(hmac_ctx_size(ctx->hmac) == 256/8);
156 
157  gc_init(&gc);
158 
159  dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s",
160  format_hex(BPTR(src), BLEN(src), 80, &gc));
161 
162  /* Get packet ID */
163  if (!packet_id_write(&opt->packet_id.send, dst, true, false))
164  {
165  msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over.");
166  goto err;
167  }
168 
169  dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s",
170  format_hex(BPTR(dst), BLEN(dst), 0, &gc));
171 
172  /* Buffer overflow check */
173  if (!buf_safe(dst, BLEN(src) + TLS_CRYPT_BLOCK_SIZE + TLS_CRYPT_TAG_SIZE))
174  {
175  msg(D_CRYPT_ERRORS, "TLS-CRYPT WRAP: buffer size error, "
176  "sc=%d so=%d sl=%d dc=%d do=%d dl=%d", src->capacity, src->offset,
177  src->len, dst->capacity, dst->offset, dst->len);
178  goto err;
179  }
180 
181  /* Calculate auth tag and synthetic IV */
182  {
183  uint8_t *tag = NULL;
184  hmac_ctx_reset(ctx->hmac);
185  hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
186  hmac_ctx_update(ctx->hmac, BPTR(src), BLEN(src));
187 
188  ASSERT(tag = buf_write_alloc(dst, TLS_CRYPT_TAG_SIZE));
189  hmac_ctx_final(ctx->hmac, tag);
190 
191  dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TAG: %s",
192  format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, &gc));
193 
194  /* Use the 128 most significant bits of the tag as IV */
195  ASSERT(cipher_ctx_reset(ctx->cipher, tag));
196  }
197 
198  /* Encrypt src */
199  {
200  int outlen = 0;
201  ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen,
202  BPTR(src), BLEN(src)));
203  ASSERT(buf_inc_len(dst, outlen));
204  ASSERT(cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen));
205  ASSERT(buf_inc_len(dst, outlen));
206  }
207 
208  dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s",
209  format_hex(BPTR(dst), BLEN(dst), 80, &gc));
210 
211  gc_free(&gc);
212  return true;
213 
214 err:
215  crypto_clear_error();
216  dst->len = 0;
217  gc_free(&gc);
218  return false;
219 }
220 
221 bool
222 tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
223  struct crypto_options *opt)
224 {
225  static const char error_prefix[] = "tls-crypt unwrap error";
226  const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt;
227  struct gc_arena gc;
228 
229  gc_init(&gc);
230 
231  ASSERT(opt);
232  ASSERT(src->len > 0);
233  ASSERT(ctx->cipher);
234  ASSERT(packet_id_initialized(&opt->packet_id)
235  || (opt->flags & CO_IGNORE_PACKET_ID));
236 
237  dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s",
238  format_hex(BPTR(src), BLEN(src), 80, &gc));
239 
240  if (buf_len(src) < TLS_CRYPT_OFF_CT)
241  {
242  CRYPT_ERROR("packet too short");
243  }
244 
245  /* Decrypt cipher text */
246  {
247  int outlen = 0;
248 
249  /* Buffer overflow check (should never fail) */
250  if (!buf_safe(dst, BLEN(src) - TLS_CRYPT_OFF_CT + TLS_CRYPT_BLOCK_SIZE))
251  {
252  CRYPT_ERROR("potential buffer overflow");
253  }
254 
255  if (!cipher_ctx_reset(ctx->cipher, BPTR(src) + TLS_CRYPT_OFF_TAG))
256  {
257  CRYPT_ERROR("cipher reset failed");
258  }
259  if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen,
260  BPTR(src) + TLS_CRYPT_OFF_CT, BLEN(src) - TLS_CRYPT_OFF_CT))
261  {
262  CRYPT_ERROR("cipher update failed");
263  }
264  ASSERT(buf_inc_len(dst, outlen));
265  if (!cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen))
266  {
267  CRYPT_ERROR("cipher final failed");
268  }
269  ASSERT(buf_inc_len(dst, outlen));
270  }
271 
272  /* Check authentication */
273  {
274  const uint8_t *tag = BPTR(src) + TLS_CRYPT_OFF_TAG;
275  uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
276 
277  dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP AD: %s",
278  format_hex(BPTR(src), TLS_CRYPT_OFF_TAG, 0, &gc));
279  dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP TO: %s",
280  format_hex(BPTR(dst), BLEN(dst), 80, &gc));
281 
282  hmac_ctx_reset(ctx->hmac);
283  hmac_ctx_update(ctx->hmac, BPTR(src), TLS_CRYPT_OFF_TAG);
284  hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
285  hmac_ctx_final(ctx->hmac, tag_check);
286 
287  if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
288  {
289  dmsg(D_CRYPTO_DEBUG, "tag : %s",
290  format_hex(tag, sizeof(tag_check), 0, &gc));
291  dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
292  format_hex(tag_check, sizeof(tag_check), 0, &gc));
293  CRYPT_ERROR("packet authentication failed");
294  }
295  }
296 
297  /* Check replay */
298  if (!(opt->flags & CO_IGNORE_PACKET_ID))
299  {
300  struct packet_id_net pin;
301  struct buffer tmp = *src;
302  ASSERT(buf_advance(&tmp, TLS_CRYPT_OFF_PID));
303  ASSERT(packet_id_read(&pin, &tmp, true));
304  if (!crypto_check_replay(opt, &pin, error_prefix, &gc))
305  {
306  CRYPT_ERROR("packet replay");
307  }
308  }
309 
310  gc_free(&gc);
311  return true;
312 
313 error_exit:
314  crypto_clear_error();
315  dst->len = 0;
316  gc_free(&gc);
317  return false;
318 }
319 
320 static inline void
321 tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2,
322  bool tls_server)
323 {
324  const int key_direction = tls_server ?
325  KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
326  struct key_type kt = tls_crypt_kt();
327  if (!kt.cipher || !kt.digest)
328  {
329  msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");
330  }
331  init_key_ctx_bi(key, key2, key_direction, &kt,
332  "Control Channel Encryption");
333 }
334 
335 void
336 tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key,
337  struct buffer *wkc_buf, const char *key_file,
338  bool key_inline)
339 {
340  struct buffer client_key = alloc_buf(TLS_CRYPT_V2_CLIENT_KEY_LEN
341  + TLS_CRYPT_V2_MAX_WKC_LEN);
342 
343  if (!read_pem_key_file(&client_key, tls_crypt_v2_cli_pem_name,
344  key_file, key_inline))
345  {
346  msg(M_FATAL, "ERROR: invalid tls-crypt-v2 client key format");
347  }
348 
349  struct key2 key2 = { .n = 2 };
350  if (!buf_read(&client_key, &key2.keys, sizeof(key2.keys)))
351  {
352  msg(M_FATAL, "ERROR: not enough data in tls-crypt-v2 client key");
353  }
354 
355  tls_crypt_v2_load_client_key(key, &key2, false);
356  *original_key = key2;
357 
358  *wkc_buf = client_key;
359 }
360 
361 void
362 tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt,
363  const char *key_file, bool key_inline)
364 {
365  struct key srv_key;
366  struct buffer srv_key_buf;
367 
368  buf_set_write(&srv_key_buf, (void *)&srv_key, sizeof(srv_key));
369  if (!read_pem_key_file(&srv_key_buf, tls_crypt_v2_srv_pem_name,
370  key_file, key_inline))
371  {
372  msg(M_FATAL, "ERROR: invalid tls-crypt-v2 server key format");
373  }
374 
375  struct key_type kt = tls_crypt_kt();
376  if (!kt.cipher || !kt.digest)
377  {
378  msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");
379  }
380  init_key_ctx(key_ctx, &srv_key, &kt, encrypt, "tls-crypt-v2 server key");
381  secure_memzero(&srv_key, sizeof(srv_key));
382 }
383 
384 static bool
385 tls_crypt_v2_wrap_client_key(struct buffer *wkc,
386  const struct key2 *src_key,
387  const struct buffer *src_metadata,
388  struct key_ctx *server_key, struct gc_arena *gc)
389 {
390  cipher_ctx_t *cipher_ctx = server_key->cipher;
391  struct buffer work = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN
392  + cipher_ctx_block_size(cipher_ctx), gc);
393 
394  /* Calculate auth tag and synthetic IV */
395  uint8_t *tag = buf_write_alloc(&work, TLS_CRYPT_TAG_SIZE);
396  if (!tag)
397  {
398  msg(M_WARN, "ERROR: could not write tag");
399  return false;
400  }
401  uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata)
402  + TLS_CRYPT_V2_TAG_SIZE + sizeof(uint16_t));
403  hmac_ctx_t *hmac_ctx = server_key->hmac;
404  hmac_ctx_reset(hmac_ctx);
405  hmac_ctx_update(hmac_ctx, (void *)&net_len, sizeof(net_len));
406  hmac_ctx_update(hmac_ctx, (void *)src_key->keys, sizeof(src_key->keys));
407  hmac_ctx_update(hmac_ctx, BPTR(src_metadata), BLEN(src_metadata));
408  hmac_ctx_final(hmac_ctx, tag);
409 
410  dmsg(D_CRYPTO_DEBUG, "TLS-CRYPT WRAP TAG: %s",
411  format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, gc));
412 
413  /* Use the 128 most significant bits of the tag as IV */
414  ASSERT(cipher_ctx_reset(cipher_ctx, tag));
415 
416  /* Overflow check (OpenSSL requires an extra block in the dst buffer) */
417  if (buf_forward_capacity(&work) < (sizeof(src_key->keys)
418  + BLEN(src_metadata)
419  + sizeof(net_len)
420  + cipher_ctx_block_size(cipher_ctx)))
421  {
422  msg(M_WARN, "ERROR: could not crypt: insufficient space in dst");
423  return false;
424  }
425 
426  /* Encrypt */
427  int outlen = 0;
428  ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
429  (void *)src_key->keys, sizeof(src_key->keys)));
430  ASSERT(buf_inc_len(&work, outlen));
431  ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
432  BPTR(src_metadata), BLEN(src_metadata)));
433  ASSERT(buf_inc_len(&work, outlen));
434  ASSERT(cipher_ctx_final(cipher_ctx, BEND(&work), &outlen));
435  ASSERT(buf_inc_len(&work, outlen));
436  ASSERT(buf_write(&work, &net_len, sizeof(net_len)));
437 
438  return buf_copy(wkc, &work);
439 }
440 
441 static bool
442 tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
443  struct buffer wrapped_client_key,
444  struct key_ctx *server_key)
445 {
446  const char *error_prefix = __func__;
447  bool ret = false;
448  struct gc_arena gc = gc_new();
449  /* The crypto API requires one extra cipher block of buffer head room when
450  * decrypting, which nicely matches the tag size of WKc. So
451  * TLS_CRYPT_V2_MAX_WKC_LEN is always large enough for the plaintext. */
452  uint8_t plaintext_buf_data[TLS_CRYPT_V2_MAX_WKC_LEN] = { 0 };
453  struct buffer plaintext = { 0 };
454 
455  dmsg(D_TLS_DEBUG_MED, "%s: unwrapping client key (len=%d): %s", __func__,
456  BLEN(&wrapped_client_key), format_hex(BPTR(&wrapped_client_key),
457  BLEN(&wrapped_client_key),
458  0, &gc));
459 
460  if (TLS_CRYPT_V2_MAX_WKC_LEN < BLEN(&wrapped_client_key))
461  {
462  CRYPT_ERROR("wrapped client key too big");
463  }
464 
465  /* Decrypt client key and metadata */
466  uint16_t net_len = 0;
467  const uint8_t *tag = BPTR(&wrapped_client_key);
468 
469  if (BLEN(&wrapped_client_key) < sizeof(net_len))
470  {
471  CRYPT_ERROR("failed to read length");
472  }
473  memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
474  sizeof(net_len));
475 
476  if (ntohs(net_len) != BLEN(&wrapped_client_key))
477  {
478  dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__,
479  ntohs(net_len), BLEN(&wrapped_client_key));
480  CRYPT_ERROR("invalid length");
481  }
482 
483  buf_inc_len(&wrapped_client_key, -(int)sizeof(net_len));
484 
485  if (!buf_advance(&wrapped_client_key, TLS_CRYPT_TAG_SIZE))
486  {
487  CRYPT_ERROR("failed to read tag");
488  }
489 
490  if (!cipher_ctx_reset(server_key->cipher, tag))
491  {
492  CRYPT_ERROR("failed to initialize IV");
493  }
494  buf_set_write(&plaintext, plaintext_buf_data, sizeof(plaintext_buf_data));
495  int outlen = 0;
496  if (!cipher_ctx_update(server_key->cipher, BPTR(&plaintext), &outlen,
497  BPTR(&wrapped_client_key),
498  BLEN(&wrapped_client_key)))
499  {
500  CRYPT_ERROR("could not decrypt client key");
501  }
502  ASSERT(buf_inc_len(&plaintext, outlen));
503 
504  if (!cipher_ctx_final(server_key->cipher, BEND(&plaintext), &outlen))
505  {
506  CRYPT_ERROR("cipher final failed");
507  }
508  ASSERT(buf_inc_len(&plaintext, outlen));
509 
510  /* Check authentication */
511  uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
512  hmac_ctx_reset(server_key->hmac);
513  hmac_ctx_update(server_key->hmac, (void *)&net_len, sizeof(net_len));
514  hmac_ctx_update(server_key->hmac, BPTR(&plaintext),
515  BLEN(&plaintext));
516  hmac_ctx_final(server_key->hmac, tag_check);
517 
518  if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
519  {
520  dmsg(D_CRYPTO_DEBUG, "tag : %s",
521  format_hex(tag, sizeof(tag_check), 0, &gc));
522  dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
523  format_hex(tag_check, sizeof(tag_check), 0, &gc));
524  CRYPT_ERROR("client key authentication error");
525  msg(D_TLS_DEBUG_LOW, "This might be a client-key that was generated for "
526  "a different tls-crypt-v2 server key)");
527  }
528 
529  if (buf_len(&plaintext) < sizeof(client_key->keys))
530  {
531  CRYPT_ERROR("failed to read client key");
532  }
533  memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys));
534  ASSERT(buf_advance(&plaintext, sizeof(client_key->keys)));
535  client_key->n = 2;
536 
537  if (!buf_copy(metadata, &plaintext))
538  {
539  CRYPT_ERROR("metadata too large for supplied buffer");
540  }
541 
542  ret = true;
543 error_exit:
544  if (!ret)
545  {
546  secure_memzero(client_key, sizeof(*client_key));
547  }
548  buf_clear(&plaintext);
549  gc_free(&gc);
550  return ret;
551 }
552 
553 static bool
554 tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx,
555  const struct tls_options *opt)
556 {
557  bool ret = false;
558  struct gc_arena gc = gc_new();
559  const char *tmp_file = NULL;
560  struct buffer metadata = ctx->tls_crypt_v2_metadata;
561  int metadata_type = buf_read_u8(&metadata);
562  if (metadata_type < 0)
563  {
564  msg(M_WARN, "ERROR: no metadata type");
565  goto cleanup;
566  }
567 
568  tmp_file = platform_create_temp_file(opt->tmp_dir, "tls_crypt_v2_metadata_",
569  &gc);
570  if (!tmp_file || !buffer_write_file(tmp_file, &metadata))
571  {
572  msg(M_WARN, "ERROR: could not write metadata to file");
573  goto cleanup;
574  }
575 
576  char metadata_type_str[4] = { 0 }; /* Max value: 255 */
577  snprintf(metadata_type_str, sizeof(metadata_type_str),
578  "%i", (uint8_t) metadata_type);
579  struct env_set *es = env_set_create(NULL);
580  setenv_str(es, "script_type", "tls-crypt-v2-verify");
581  setenv_str(es, "metadata_type", metadata_type_str);
582  setenv_str(es, "metadata_file", tmp_file);
583 
584  struct argv argv = argv_new();
585  argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script);
586  argv_msg_prefix(D_TLS_DEBUG, &argv, "Executing tls-crypt-v2-verify");
587 
588  ret = openvpn_run_script(&argv, es, 0, "--tls-crypt-v2-verify");
589 
590  argv_free(&argv);
591  env_set_destroy(es);
592 
593  if (!platform_unlink(tmp_file))
594  {
595  msg(M_WARN, "WARNING: failed to remove temp file '%s", tmp_file);
596  }
597 
598  if (ret)
599  {
600  msg(D_HANDSHAKE, "TLS CRYPT V2 VERIFY SCRIPT OK");
601  }
602  else
603  {
604  msg(D_HANDSHAKE, "TLS CRYPT V2 VERIFY SCRIPT ERROR");
605  }
606 
607 cleanup:
608  gc_free(&gc);
609  return ret;
610 }
611 
612 bool
613 tls_crypt_v2_extract_client_key(struct buffer *buf,
614  struct tls_wrap_ctx *ctx,
615  const struct tls_options *opt)
616 {
617  if (!ctx->tls_crypt_v2_server_key.cipher)
618  {
619  msg(D_TLS_ERRORS,
620  "Client wants tls-crypt-v2, but no server key present.");
621  return false;
622  }
623 
624  msg(D_HANDSHAKE, "Control Channel: using tls-crypt-v2 key");
625 
626  struct buffer wrapped_client_key = *buf;
627  uint16_t net_len = 0;
628 
629  if (BLEN(&wrapped_client_key) < sizeof(net_len))
630  {
631  msg(D_TLS_ERRORS, "Can not read tls-crypt-v2 client key length");
632  return false;
633  }
634  memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
635  sizeof(net_len));
636 
637  size_t wkc_len = ntohs(net_len);
638  if (!buf_advance(&wrapped_client_key, BLEN(&wrapped_client_key) - wkc_len))
639  {
640  msg(D_TLS_ERRORS, "Can not locate tls-crypt-v2 client key");
641  return false;
642  }
643 
644  ctx->tls_crypt_v2_metadata = alloc_buf(TLS_CRYPT_V2_MAX_METADATA_LEN);
645  if (!tls_crypt_v2_unwrap_client_key(&ctx->original_wrap_keydata,
646  &ctx->tls_crypt_v2_metadata,
647  wrapped_client_key,
648  &ctx->tls_crypt_v2_server_key))
649  {
650  msg(D_TLS_ERRORS, "Can not unwrap tls-crypt-v2 client key");
651  secure_memzero(&ctx->original_wrap_keydata, sizeof(ctx->original_wrap_keydata));
652  return false;
653  }
654 
655  /* Load the decrypted key */
656  ctx->mode = TLS_WRAP_CRYPT;
657  ctx->cleanup_key_ctx = true;
658  ctx->opt.flags |= CO_PACKET_ID_LONG_FORM;
659  memset(&ctx->opt.key_ctx_bi, 0, sizeof(ctx->opt.key_ctx_bi));
660  tls_crypt_v2_load_client_key(&ctx->opt.key_ctx_bi,
661  &ctx->original_wrap_keydata, true);
662 
663  /* Remove client key from buffer so tls-crypt code can unwrap message */
664  ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key))));
665 
666  if (opt && opt->tls_crypt_v2_verify_script)
667  {
668  return tls_crypt_v2_verify_metadata(ctx, opt);
669  }
670 
671  return true;
672 }
673 
674 void
675 tls_crypt_v2_write_server_key_file(const char *filename)
676 {
677  write_pem_key_file(filename, tls_crypt_v2_srv_pem_name);
678 }
679 
680 void
681 tls_crypt_v2_write_client_key_file(const char *filename,
682  const char *b64_metadata,
683  const char *server_key_file,
684  bool server_key_inline)
685 {
686  struct gc_arena gc = gc_new();
687  struct key_ctx server_key = { 0 };
688  struct buffer client_key_pem = { 0 };
689  struct buffer dst = alloc_buf_gc(TLS_CRYPT_V2_CLIENT_KEY_LEN
690  + TLS_CRYPT_V2_MAX_WKC_LEN, &gc);
691  struct key2 client_key = { 2 };
692 
693  if (!rand_bytes((void *)client_key.keys, sizeof(client_key.keys)))
694  {
695  msg(M_FATAL, "ERROR: could not generate random key");
696  goto cleanup;
697  }
698  ASSERT(buf_write(&dst, client_key.keys, sizeof(client_key.keys)));
699 
700  struct buffer metadata;
701  if (b64_metadata)
702  {
703  size_t b64_length = strlen(b64_metadata);
704  metadata = alloc_buf_gc(OPENVPN_BASE64_DECODED_LENGTH(b64_length) + 1, &gc);
705  ASSERT(buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_USER, 1));
706  int decoded_len = openvpn_base64_decode(b64_metadata, BEND(&metadata),
707  BCAP(&metadata));
708  if (decoded_len < 0)
709  {
710  msg(M_FATAL, "ERROR: failed to base64 decode provided metadata");
711  goto cleanup;
712  }
713  if (decoded_len > TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
714  {
715  msg(M_FATAL,
716  "ERROR: metadata too long (%d bytes, max %u bytes)",
717  decoded_len, TLS_CRYPT_V2_MAX_METADATA_LEN - 1);
718  goto cleanup;
719  }
720  ASSERT(buf_inc_len(&metadata, decoded_len));
721  }
722  else
723  {
724  metadata = alloc_buf_gc(1 + sizeof(int64_t), &gc);
725  int64_t timestamp = htonll((uint64_t)now);
726  ASSERT(buf_write(&metadata, &TLS_CRYPT_METADATA_TYPE_TIMESTAMP, 1));
727  ASSERT(buf_write(&metadata, &timestamp, sizeof(timestamp)));
728  }
729 
730  tls_crypt_v2_init_server_key(&server_key, true, server_key_file,
731  server_key_inline);
732  if (!tls_crypt_v2_wrap_client_key(&dst, &client_key, &metadata, &server_key,
733  &gc))
734  {
735  msg(M_FATAL, "ERROR: could not wrap generated client key");
736  goto cleanup;
737  }
738 
739  /* PEM-encode Kc || WKc */
740  if (!crypto_pem_encode(tls_crypt_v2_cli_pem_name, &client_key_pem, &dst,
741  &gc))
742  {
743  msg(M_FATAL, "ERROR: could not PEM-encode client key");
744  goto cleanup;
745  }
746 
747  const char *client_file = filename;
748  bool client_inline = false;
749 
750  if (!filename || streq(filename, ""))
751  {
752  printf("%.*s\n", BLEN(&client_key_pem), BPTR(&client_key_pem));
753  client_file = (const char *)BPTR(&client_key_pem);
754  client_inline = true;
755  }
756  else if (!buffer_write_file(filename, &client_key_pem))
757  {
758  msg(M_FATAL, "ERROR: could not write client key file");
759  goto cleanup;
760  }
761 
762  /* Sanity check: load client key (as "client") */
763  struct key_ctx_bi test_client_key;
764  struct buffer test_wrapped_client_key;
765  struct key2 keydata;
766  msg(D_GENKEY, "Testing client-side key loading...");
767  tls_crypt_v2_init_client_key(&test_client_key, &keydata, &test_wrapped_client_key,
768  client_file, client_inline);
769  free_key_ctx_bi(&test_client_key);
770 
771  /* Sanity check: unwrap and load client key (as "server") */
772  struct buffer test_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN,
773  &gc);
774  struct key2 test_client_key2 = { 0 };
775  free_key_ctx(&server_key);
776  tls_crypt_v2_init_server_key(&server_key, false, server_key_file,
777  server_key_inline);
778  msg(D_GENKEY, "Testing server-side key loading...");
779  ASSERT(tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata,
780  test_wrapped_client_key, &server_key));
781  secure_memzero(&test_client_key2, sizeof(test_client_key2));
782  free_buf(&test_wrapped_client_key);
783 
784 cleanup:
785  secure_memzero(&client_key, sizeof(client_key));
786  free_key_ctx(&server_key);
787  buf_clear(&client_key_pem);
788  buf_clear(&dst);
789 
790  gc_free(&gc);
791 }
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition: buffer.h:525
buffer_write_file
bool buffer_write_file(const char *filename, const struct buffer *buf)
Write buffer contents to file.
Definition: buffer.c:318
platform_create_temp_file
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:554
openvpn_base64_decode
int openvpn_base64_decode(const char *str, void *data, int size)
Definition: base64.c:158
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition: errlevel.h:165
key2::n
int n
The number of key objects stored in the key2.keys array.
Definition: crypto.h:181
tls_crypt_v2_verify_metadata
static bool tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Definition: tls_crypt.c:554
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:362
buf_read
static bool buf_read(struct buffer *src, void *dest, int size)
Definition: buffer.h:783
TLS_CRYPT_V2_MAX_METADATA_LEN
#define TLS_CRYPT_V2_MAX_METADATA_LEN
Definition: tls_crypt.h:101
tls_wrap_ctx::original_wrap_keydata
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition: ssl_common.h:289
D_PACKET_CONTENT
#define D_PACKET_CONTENT
Definition: errlevel.h:168
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1030
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition: crypto_mbedtls.h:46
run_command.h
key2
#define key2
Definition: cert_data.h:82
EXPORT_DYNAMIC_TLS_CRYPT_LABEL
#define EXPORT_DYNAMIC_TLS_CRYPT_LABEL
Definition: ssl_backend.h:392
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:79
M_FATAL
#define M_FATAL
Definition: error.h:89
env_set_destroy
void env_set_destroy(struct env_set *es)
Definition: env_set.c:166
argv
Definition: argv.h:35
TLS_CRYPT_V2_MAX_WKC_LEN
#define TLS_CRYPT_V2_MAX_WKC_LEN
Definition: tls_crypt.h:97
streq
#define streq(x, y)
Definition: options.h:707
KEY_DIRECTION_NORMAL
#define KEY_DIRECTION_NORMAL
Definition: crypto.h:172
tls_crypt_unwrap
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:222
es
struct env_set * es
Definition: test_pkcs11.c:133
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
D_HANDSHAKE
#define D_HANDSHAKE
Definition: errlevel.h:72
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:336
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition: buffer.h:62
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
openvpn_run_script
static int openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Will run a script and return the exit code of the script if between 0 and 255, -1 otherwise.
Definition: run_command.h:64
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:681
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:102
key_ctx::cipher
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:164
D_CRYPTO_DEBUG
#define D_CRYPTO_DEBUG
Definition: errlevel.h:148
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:162
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:219
dmsg
#define dmsg(flags,...)
Definition: error.h:148
KEY_DIRECTION_INVERSE
#define KEY_DIRECTION_INVERSE
Definition: crypto.h:173
packet_id_initialized
static bool packet_id_initialized(const struct packet_id *pid)
Is this struct packet_id initialized?
Definition: packet_id.h:269
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:717
hmac_ctx_update
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
argv_msg_prefix
void argv_msg_prefix(const int msglev, const struct argv *a, const char *prefix)
Similar to argv_msg() but prefixes the messages being written with a given string.
Definition: argv.c:260
BEND
#define BEND(buf)
Definition: buffer.h:125
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:483
key_direction_state_init
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition: crypto.c:1478
session_id.h
TLS_CRYPT_METADATA_TYPE_USER
static const uint8_t TLS_CRYPT_METADATA_TYPE_USER
Metadata contains user-specified data.
Definition: tls_crypt.c:44
TLS_CRYPT_BLOCK_SIZE
#define TLS_CRYPT_BLOCK_SIZE
Definition: tls_crypt.h:91
tls_crypt.h
key::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition: crypto.h:153
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition: tls_crypt.c:55
TLS_CRYPT_OFF_TAG
#define TLS_CRYPT_OFF_TAG
Definition: tls_crypt.h:94
tls_options::tmp_dir
const char * tmp_dir
Definition: ssl_common.h:379
MAX_CIPHER_KEY_LENGTH
#define MAX_CIPHER_KEY_LENGTH
Definition: crypto_backend.h:177
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:590
TLS_CRYPT_OFF_PID
#define TLS_CRYPT_OFF_PID
Definition: tls_crypt.h:93
cipher_ctx_final
int cipher_ctx_final(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len)
Pads the final cipher block using PKCS padding, and output to the destination buffer.
crypto_read_openvpn_key
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata)
Definition: crypto.c:1094
init_key_ctx_bi
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:869
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:149
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:906
D_GENKEY
#define D_GENKEY
Definition: errlevel.h:79
key_ctx_bi
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:217
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:414
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:273
ASSERT
#define ASSERT(x)
Definition: error.h:195
MAX_HMAC_KEY_LENGTH
#define MAX_HMAC_KEY_LENGTH
Definition: crypto_backend.h:495
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:275
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:623
argv.h
buf_inc_len
static bool buf_inc_len(struct buffer *buf, int inc)
Definition: buffer.h:595
tls_crypt_kt
static struct key_type tls_crypt_kt(void)
Definition: tls_crypt.c:49
tls_options
Definition: ssl_common.h:296
tls_crypt_v2_load_client_key
static void tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, bool tls_server)
Definition: tls_crypt.c:321
BLEN
#define BLEN(buf)
Definition: buffer.h:127
tls_crypt_v2_wrap_client_key
static bool tls_crypt_v2_wrap_client_key(struct buffer *wkc, const struct key2 *src_key, const struct buffer *src_metadata, struct key_ctx *server_key, struct gc_arena *gc)
Definition: tls_crypt.c:385
key_direction_state
Key ordering of the key2.keys array.
Definition: crypto.h:196
key_type::digest
const char * digest
Message digest static parameters.
Definition: crypto.h:142
tls_wrap_ctx
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:266
cipher_ctx_t
mbedtls_cipher_context_t cipher_ctx_t
Generic cipher context.
Definition: crypto_mbedtls.h:40
init_key_ctx
void init_key_ctx(struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix)
Definition: crypto.c:824
M_WARN
#define M_WARN
Definition: error.h:91
cipher_ctx_update
int cipher_ctx_update(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len)
Updates the given cipher context, encrypting data in the source buffer, and placing any complete bloc...
tls_crypt_wrap
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:145
key_ctx
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:162
OPENVPN_BASE64_DECODED_LENGTH
#define OPENVPN_BASE64_DECODED_LENGTH(base64_length)
Compute the maximal number of bytes encoded in a base64 string.
Definition: base64.h:42
tls_wrap_ctx::tls_crypt_v2_metadata
struct buffer tls_crypt_v2_metadata
Received from client.
Definition: ssl_common.h:278
crypto.h
crypto_clear_error
void crypto_clear_error(void)
Definition: crypto_openssl.c:229
TLS_CRYPT_OFF_CT
#define TLS_CRYPT_OFF_CT
Definition: tls_crypt.h:95
tls_options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:368
base64.h
tls_crypt_v2_cli_pem_name
const char * tls_crypt_v2_cli_pem_name
Definition: tls_crypt.c:40
test_client_key
static const char * test_client_key
Definition: test_tls_crypt.c:67
TLS_CRYPT_METADATA_TYPE_TIMESTAMP
static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP
Metadata contains a 64-bit unix timestamp in network byte order.
Definition: tls_crypt.c:46
hmac_ctx_final
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
packet_id_read
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition: packet_id.c:299
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:61
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition: ssl_openssl.c:149
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
argv::gc
struct gc_arena gc
Definition: argv.h:36
hmac_ctx_reset
void hmac_ctx_reset(hmac_ctx_t *ctx)
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition: crypto_openssl.c:592
TLS_CRYPT_V2_TAG_SIZE
#define TLS_CRYPT_V2_TAG_SIZE
Definition: tls_crypt.h:100
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
key_type
Definition: crypto.h:139
D_CRYPT_ERRORS
#define D_CRYPT_ERRORS
Definition: errlevel.h:58
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition: buffer.h:673
BCAP
#define BCAP(buf)
Definition: buffer.h:130
cipher_ctx_block_size
int cipher_ctx_block_size(const cipher_ctx_t *ctx)
Returns the block size of the cipher, in bytes.
platform_unlink
bool platform_unlink(const char *filename)
Definition: platform.c:501
ssl.h
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:471
env_set_create
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:156
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
create_kt
static struct key_type create_kt(const char *cipher, const char *md, const char *optname)
Creates and validates an instance of struct key_type with the provided algs.
Definition: crypto.h:576
platform.h
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
crypto_pem_encode
bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
Encode binary data as PEM.
Definition: crypto_openssl.c:502
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition: buffer.h:331
key_type::cipher
const char * cipher
const name of the cipher
Definition: crypto.h:141
tls_crypt_v2_unwrap_client_key
static bool tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, struct buffer wrapped_client_key, struct key_ctx *server_key)
Definition: tls_crypt.c:442
buffer::offset
int offset
Offset in bytes of the actual content within the allocated memory.
Definition: buffer.h:64
packet_id_write
bool packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend)
Write a packet ID to buf, and update the packet ID state.
Definition: packet_id.c:347
env_set
Definition: env_set.h:42
CRYPT_ERROR
#define CRYPT_ERROR(format)
Definition: crypto.h:287
tls_crypt_v2_srv_pem_name
const char * tls_crypt_v2_srv_pem_name
Definition: tls_crypt.c:41
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:88
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
memcmp_constant_time
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition: crypto_openssl.c:1345
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:889
crypto_check_replay
bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc)
Check packet ID for replay, and perform replay administration.
Definition: crypto.c:312
buf_len
static int buf_len(const struct buffer *buf)
Definition: buffer.h:253
write_pem_key_file
void write_pem_key_file(const char *filename, const char *pem_name)
Generate a server key with enough randomness to fill a key struct and write to file.
Definition: crypto.c:1700
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition: errlevel.h:157
TLS_CRYPT_TAG_SIZE
#define TLS_CRYPT_TAG_SIZE
Definition: tls_crypt.h:89
packet_id::send
struct packet_id_send send
Definition: packet_id.h:202
tls_crypt_v2_extract_client_key
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:613
htonll
#define htonll(x)
Definition: integer.h:30
packet_id_size
static int packet_id_size(bool long_form)
Definition: packet_id.h:310
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition: crypto.h:250
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1038
BUF_SIZE
#define BUF_SIZE(f)
Definition: mtu.h:172
key::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition: crypto.h:151
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:232
now
time_t now
Definition: otime.c:34
buf_write_alloc
static uint8_t * buf_write_alloc(struct buffer *buf, size_t size)
Definition: buffer.h:640
config.h
cipher_ctx_reset
int cipher_ctx_reset(cipher_ctx_t *ctx, const uint8_t *iv_buf)
Resets the given cipher context, setting the IV to the specified value.
xor_key2
static void xor_key2(struct key2 *key, const struct key2 *other)
Will produce key = key XOR other.
Definition: tls_crypt.c:79
packet_id_net
Definition: packet_id.h:194
gc_init
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1017
read_pem_key_file
bool read_pem_key_file(struct buffer *key, const char *pem_name, const char *key_file, bool key_inline)
Read key material from a PEM encoded files into the key structure.
Definition: crypto.c:1756
key2
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:179
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:510
CO_IGNORE_PACKET_ID
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition: crypto.h:253
session
Definition: keyingmaterialexporter.c:56
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:795
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:236
buf_forward_capacity
static int buf_forward_capacity(const struct buffer *buf)
Definition: buffer.h:546
key_ctx::hmac
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:165
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:283
key2::keys
struct key keys[2]
Two unidirectional sets of key material.
Definition: crypto.h:183
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
tls_wrap_ctx::mode
enum tls_wrap_ctx::@17 mode
Control channel wrapping mode.
TLS_CRYPT_V2_CLIENT_KEY_LEN
#define TLS_CRYPT_V2_CLIENT_KEY_LEN
Definition: tls_crypt.h:98
msg
#define msg(flags,...)
Definition: error.h:144
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:221
tls_wrap_ctx::cleanup_key_ctx
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition: ssl_common.h:279
tls_session_generate_dynamic_tls_crypt_key
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_multi *multi, struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
Definition: tls_crypt.c:98
hmac_ctx_size
int hmac_ctx_size(hmac_ctx_t *ctx)
crypto_options
Security parameter state for processing data channel packets.
Definition: crypto.h:230
tls_crypt_v2_write_server_key_file
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition: tls_crypt.c:675
cleanup
static int cleanup(void **state)
Definition: test_pkcs11.c:280
Generated by   doxygen 1.8.17